Several cybersecurity experts have released free scanners to help organizations find vulnerable Log4j instances.
The Cybersecurity and Infrastructure Security Agency (CISA), for example, released a Log4j scanner on GitHub, based on an earlier version built by security company FullHunt.
CISA said that this tool looks for two vulnerabilities, CVE-2021-44228 and CVE-2021-45046, and supports DNS callback for vulnerability discovery and validation. It also provides automatic error detection for HTTP POST data parameters, as well as JSON data parameters.
Cybersecurity experts at Crowdstrike have also released a similar scanner called CAST.
The scanners are faulty
However, the researchers cautioned that neither of these tools was perfect and they could end up losing a vulnerability or two.
Yotam Perkal, head of research at security firm Rezilion, analyzed these tools and published the results in a blog post. According to Perkal, many scanners missed certain versions of the vulnerability.
“The biggest challenge is detecting Log4Shell in software packaged in production environments: Java files (such as Log4j) can be nested a few layers inside other files, meaning a cursory search for the file won't find it,” Perkal wrote. . "In addition, they can be packaged in many different formats, which creates a real challenge to dig into other Java packages."
Perkal tested a total of nine scanners, and while some performed better than others, none were able to identify all vulnerable Log4j implementations.
"It also reminds us that detection capabilities are only as good as your detection method. Scanners have blind spots," Perkal concluded. “Security officials cannot blindly assume that various open source or even commercial-grade tools will be able to detect all edge cases. And in the case of Log4j, there are many edge instances in many places. "
Log4Shell
Log4j is a Java logger that was recently discovered to contain a critical flaw, which could allow malicious actors (even those with very low skills) to execute arbitrary code on millions of endpoints and remove them, malware, ransomware, and crypto miners.
Further investigation revealed that Log4Shell, as the flaw is known, is one of the most serious security vulnerabilities in recent memory. Jen Easterly, director of CISA, called it "one of the most serious" she has seen in her entire career, "if not the most serious."
So far Apache has released at least three fixes for Log4j since the vulnerability was discovered, and users are encouraged to update immediately.
Through ZDNet